diff options
| author | Chris Cowart <ccowart@timesinks.net> | 2025-11-15 22:39:53 -0800 |
|---|---|---|
| committer | Chris Cowart <ccowart@timesinks.net> | 2025-11-21 18:22:43 -0800 |
| commit | 090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b (patch) | |
| tree | a96d8dcad9a2cfbeb2a2e9ea098fc7aa65da3aee | |
| parent | cae2717e9a608a1706e9dc134f7d560453ec4bfe (diff) | |
| download | vyos-1x-090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b.tar.gz vyos-1x-090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b.zip | |
T8027: vpn: adding config for swanctl "send-cert always"
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
| -rw-r--r-- | data/templates/ipsec/swanctl/remote_access.j2 | 3 | ||||
| -rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 6 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 21 |
3 files changed, 26 insertions, 4 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index c79f292b4..d06b3d74b 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -8,6 +8,9 @@ proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} send_certreq = no +{% if rw_conf.authentication.always_send_cert is vyos_defined %} + send_cert = always +{% endif %} {% if ike.dead_peer_detection is vyos_defined %} dpd_timeout = {{ ike.dead_peer_detection.timeout }} dpd_delay = {{ ike.dead_peer_detection.interval }} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 517bf89fd..7d901402d 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -870,6 +870,12 @@ <defaultValue>eap-mschapv2</defaultValue> </leafNode> #include <include/auth-local-users.xml.i> + <leafNode name="always-send-cert"> + <properties> + <help>Always send local certificate for this connection</help> + <valueless/> + </properties> + </leafNode> <leafNode name="server-mode"> <properties> <help>Server authentication mode</help> diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 4cb23fbc0..637e854a2 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -1151,10 +1151,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): for line in swanctl_lines: self.assertIn(line, swanctl_conf) - swanctl_unexpected_lines = [ - f'auth = eap-', - f'eap_id' - ] + swanctl_unexpected_lines = [f'auth = eap-', f'eap_id', f'send_cert ='] for unexpected_line in swanctl_unexpected_lines: self.assertNotIn(unexpected_line, swanctl_conf) @@ -1171,6 +1168,22 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}.pem'))) self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem'))) + # Add the always-send-cert config and observe the change + self.cli_set( + base_path + + [ + 'remote-access', + 'connection', + conn_name, + 'authentication', + 'always-send-cert', + ] + ) + self.cli_commit() + + swanctl_conf = read_file(swanctl_file) + self.assertIn(f'send_cert = always', swanctl_conf) + self.tearDownPKI() def test_remote_access_dhcp_fail_handling(self): |
